Speed Up Secure Boot Rollout
Microsoft rolls out the 2026 Secure Boot certificate gradually based on telemetry signals from each device's hardware and Windows version. Endpoints that are not yet eligible can be opted in by setting two registry values. The actual certificate update still happens through Microsoft's own scheduled task, with all of Microsoft's per-device safety checks intact, this just tells Windows "this device is ready, do not wait for the gradual rollout signal".
You can apply these registry values fleet-wide using a TridentStack Control Policy Object.
When to use this
- You want to accelerate the 2026 Secure Boot rotation across some or all of your fleet.
- You have reviewed your endpoints' hardware and are not aware of any with known firmware issues that would make Secure Boot updates risky.
When not to use this
- You operate any dual-boot Linux machines whose distros depend on shim binaries signed under the older 2011 certificate. Verify Linux readiness first.
- You have endpoints with custom or third-party Secure Boot policies. The opt-in only affects Microsoft's own update path.
Step-by-step
- In TridentStack Control, go to Policy Objects, then New Policy Object.
- Name it something memorable, for example "Secure Boot 2026 Opt-In".
- Add two Custom Registry Settings:
| Field | Value |
|---|---|
| Hive | HKEY_LOCAL_MACHINE |
| Key path | SYSTEM\CurrentControlSet\Control\SecureBoot |
| Value name | AvailableUpdates |
| Type | REG_DWORD |
| Data | 0x5944 (decimal 22852) |
| Field | Value |
|---|---|
| Hive | HKEY_LOCAL_MACHINE |
| Key path | SYSTEM\CurrentControlSet\Control\SecureBoot |
| Value name | MicrosoftUpdateManagedOptIn |
| Type | REG_DWORD |
| Data | 1 |
- Assign the Policy Object to a tag matching your target endpoints.
- Save.
Within the next agent check-in, the registry values will be applied. Microsoft's \Microsoft\Windows\PI\Secure-Boot-Update scheduled task picks up the opt-in on its next 12-hour run, and the certificate update typically completes over the following two reboots (about 48 hours). You will see status transition from Not Started, then In Progress, then Updated in TridentStack Control.
Reverting
If you need to opt out, edit the Policy Object and either remove the registry values or set both to 0. Once opted out, Microsoft's gradual rollout resumes for those endpoints.
Reference
- Microsoft Tech Community: Updating Microsoft Secure Boot keys
- Microsoft Support: Registry key updates for Secure Boot